xworm

Sharing

Copy URL

Twitter E-mail

General

Target

XHorionUPDATED.rar
Size

1.2MB
Sample

250301-17zvbavsdy
MD5

31a315cc0c9ed0848b0a6a6bbc719259
SHA1

01759a522fb18f9e3303ea686fb2e6b1ccfd2587
SHA256

a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0
SHA512

8457255e11862f150b876647074e9aaf460bc82ba11809395a11ba5a77b2474c7b499f359f83b490b0f69727df10fafda511b3df08b59c0e527f3436965c684d
SSDEEP

24576:S+Ivn2D8Fkj52SQvEYDni0jairFnTGGPc8/4yIHN1a8s5npKzcmTgDFQRkAWSXxk:S+I5kj52Zv7Di7iRBE8/4JHXa8mKzHgt

Score

10^/10

Malware Config

Extracted

Family

xworm

supersigma9-32916.portmap.host:32916

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  XHorionUPDATED.rar
- Size
  
  1.2MB
- MD5
  
  31a315cc0c9ed0848b0a6a6bbc719259
- SHA1
  
  01759a522fb18f9e3303ea686fb2e6b1ccfd2587
- SHA256
  
  a50ef8bbeb3468b1eb76246551b98f0500e597c0a1d1cd552e9951cea572f6e0
- SHA512
  
  8457255e11862f150b876647074e9aaf460bc82ba11809395a11ba5a77b2474c7b499f359f83b490b0f69727df10fafda511b3df08b59c0e527f3436965c684d
- SSDEEP
  
  24576:S+Ivn2D8Fkj52SQvEYDni0jairFnTGGPc8/4yIHN1a8s5npKzcmTgDFQRkAWSXxk:S+I5kj52Zv7Di7iRBE8/4JHXa8mKzHgt
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/Instructions.txt
- Size
  
  481B
- MD5
  
  5747b4f3aedd03269f89e577e62c9050
- SHA1
  
  03eea736086d77122fee51633751ac3a438e4e99
- SHA256
  
  cb2f775b6856cc7f31986b8ef607bbb01f6cecdce3ea952f0dd37c0700d43b85
- SHA512
  
  bd39ee337dcafa1d5154735600693a12d131f5f7b9bd3c32511ceccfa4192ceac966f3f23699f523bc90b97497c406a36b60d37aad0f2850c87778d11578e82b
Score

1^/10
behavioral2
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/XHorion.exe
- Size
  
  381KB
- MD5
  
  c32d172e5c95cf1aa5b4c613d80ed560
- SHA1
  
  1c035ac306f5f8f4456d3ecc1d3c8df94880d9db
- SHA256
  
  dfee0ccb7bec6a99d768fa48b0f604d8fc489a91622a51bcf892aca5a28e3459
- SHA512
  
  dc3687096cd0dbb095fadf2db0bf56e64bc7ce9c6cce9f52f5d40ec64e76a9a4f5ffc079acac29b1edc18c5d8cf82b63dbc7046c97f4240ca57772d5ae014ba8
- SSDEEP
  
  6144:HLxAmawQT854JZ7AV4NHnKmLJLde/dclUw7giqRe:aZlsYM4hKmdY/2u
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/XHorionClient.exe
- Size
  
  89KB
- MD5
  
  193cf6ebb53410e9d283c7fa249cbc27
- SHA1
  
  de4ce04aaf927f35df0c049c0c7c759aa89de8ea
- SHA256
  
  efa4393fd460946721a1cfe9e6d65b29248836af9e1eeabef2d3a90fd02f3368
- SHA512
  
  4a775b43e7a8ba5c6642ccbcf34f68ce1456e8f50e2c8a8e812f825bc6822e70735b4de895f6bdd4ab06bd6b78c797560521f0e7b4551337e1042e8d402bc7ea
- SSDEEP
  
  1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfpwYOU:77DhdC6kzWypvaQ0FxyNTBfpF
Score

3^/10

discovery
behavioral4
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/WlanRadioManager.dll
- Size
  
  67KB
- MD5
  
  bc03572751083fcaf62795dee79400e1
- SHA1
  
  f953d3c60cce1462bb89c89412e0e576cad9b608
- SHA256
  
  7b7b3b275a9a04e6e9f9b4ec02953ea7d6f8cf557424931f424548a87adcc149
- SHA512
  
  50028aed08be80255262642de7c0913f9915ce099e50fb4ca20ac7446293cefe337e297a279838696932ba69ff458c49211976e1afa05745ee10a56b28b13dba
- SSDEEP
  
  1536:XT/QeMaM587S11kkKoEnXnm43dJix4j+bwylw:XTpMaS11kkK/W+Jix4Cbwylw
Score

1^/10
behavioral5
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/d3d10core.dll
- Size
  
  36KB
- MD5
  
  c2aadefa18b26204f1bd20d6ba60fdf2
- SHA1
  
  0df45af0b2722018c160bae0d3a7916b9dafb585
- SHA256
  
  ecd286db078d0c61deb81a5df0886e36e0a4015297cf8ca4c499cbe102927175
- SHA512
  
  b3d7d0a39906a4c600ea31dee64d9e60547ee2367dc7314e051bb97527be34475372a6271f82ba28d647b114f452b985e3bb1b28cbbfa9a18cc84a9dfcbbcb0d
- SSDEEP
  
  384:k89Q1Tw0BeYIO50TS/7hU5TivOJBy1DYTH3WNoWdIBeQmoTHlfFRm49Muf:kx1cKx50KUBivOJEVYTHqrIXlX
Score

1^/10
behavioral6
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/l2nacp.dll
- Size
  
  62KB
- MD5
  
  7e2291d1c816d067a1a588869cea5d5d
- SHA1
  
  464e4391b864d47836de452849a5bfe82a36189e
- SHA256
  
  ac3709630ccead3ed3584564386418ae7557ba978251cdddd4266cc14ad0639e
- SHA512
  
  e703ee3f34c0a0e7bad0c874367b55868b0c0f1ecf9a3b0d408fc9f1b2894bbdc3be31fcfd01fe8f4d9111c49bb8684cdb8ebdaecca3d4dda055a4c4aa3e794b
- SSDEEP
  
  768:s6OE9hOHA3YKlRy8ir4sdtH3Fuvf4cJ/Fl4hoelt0Tnct46nePtP4CUSUGAA3qUC:XhX2uIu3xejQPtsRGVajr
Score

1^/10
behavioral7
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/libvpl.dll
- Size
  
  502KB
- MD5
  
  0a678cefdfccb717a9745f9294a61109
- SHA1
  
  0c25235ae23faf11e9a7855afe0628c8499ca500
- SHA256
  
  3b8ceb7c978665b75ee6ddf3bc7efbd8e9ff03edcab44dfa92f3b667586c36c6
- SHA512
  
  c446a9e10cddbce4cf5181ba56b412ae96beb3ece5ad29298f05a54ab8fd0f21a8ad1c586f4f2150d9b899da73981da748e4bc9ec0bdc820e3ff5730b068729f
- SSDEEP
  
  6144:XTNdC09UJs/NxfjxY4MyZyVThwbjR2qdASddRhBhoM:Us/NxdY4yaboGdzP6M
Score

1^/10
behavioral8
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/msauserext.dll
- Size
  
  23KB
- MD5
  
  1ca7bea4214d26d55d315ccb20bb3af7
- SHA1
  
  ef372265ae5adbe0bf081c7a737576ca634e2377
- SHA256
  
  775911f198bbb26963d98f06508e10797ca8f2f40293bd00db6715afc4097371
- SHA512
  
  6a5f36528b28811edead0b63259c5135d1a15e138d0ae8b7ac61fd5a332fdfe0d53ce4f4e147e412389456f1c69b34e80120ac2c52719ce6df9ea9f8e86d4c80
- SSDEEP
  
  384:7we2tLvD2VaW3n9I7BKAhceK9mgYxgA/WCyOW:ozDsaWEBKAzgYxgAby
Score

1^/10
behavioral9
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/pstorec.dll
- Size
  
  16KB
- MD5
  
  7a68cdca2338fb226fbc61925791bce7
- SHA1
  
  b9eb5c2d6c1e67093c9c709064b50d5eebea640a
- SHA256
  
  fdf77e40fcebe6e1db2e6679ead423962c0359d24b9c91efbfe1bc8675d36392
- SHA512
  
  1749ffed95f726c53acee5f2e3d4a4ff2913f77e267c72f535a3426e988b5c92abf156457213a49e41378b6ef9044e73dd6776ba2a14889f0f206664dfebaad9
- SSDEEP
  
  192:2BTOzZjSA7if+EcbZLWSvwaWDLq6sEQL6gqyz5sqAp3M:2BTsZj8KZLWSvwaWa6eLPj6qAtM
Score

1^/10
behavioral10
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/wlanpref.dll
- Size
  
  758KB
- MD5
  
  c9c519baeea9bc3679576f55621b9828
- SHA1
  
  dc7a06f7ea6a262a52f38162de95e7d1c091fdb6
- SHA256
  
  2d219e5d709d27462b807e0455a2ecfb77d61e694d43dbad82eb81eddcbd881a
- SHA512
  
  0f1d60de2ab21a0b391a23b9c353e5e28be097b0235f68ff3e909c806c6404c7111e4e130790264eef977f37da6d9754dba1f104158811084679c069cbfe81d3
- SSDEEP
  
  12288:yL9GSda7ZUoV+dQxIRsI47/4CD/Qtn47/4C9mCHDd:3SARsSxIoIOf
Score

1^/10
behavioral11
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/bin/wlansec.dll
- Size
  
  470KB
- MD5
  
  7e7f9c225f1663a1b27ccfd0aaccf62d
- SHA1
  
  fa4cad5a61c14d5fca55a34c896ccb618dc53395
- SHA256
  
  448caba8611122f32dc05989a969d2e1e5e9171620a98c10a8c401bed370d497
- SHA512
  
  c536d7d31093b3982cef3b399a35d9f977df30b7904a96b55633803f9c4cd52c84ba1a3c0a459f103a3284953a5e7b63523de50721bacf8cf1996e57adbf8001
- SSDEEP
  
  6144:wMlM8qBilA8VA9QttnNR9tQUd00QZCJerNRP4nA6C+TIsjDUMhtLRExiJkHPH:3Cil1VAQtnfPQXVZCJsRMM6gMhgp
Score

1^/10
behavioral12
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/msdelta.dll
- Size
  
  545KB
- MD5
  
  4bc8ff2d8b8ebb742b6d801af0ccd4d0
- SHA1
  
  980d331a2b0a24042a99e703b929b8bf626f2983
- SHA256
  
  098a2a12856c374b418013a1806a9f9f14517c733aed83886ec657c21b57d755
- SHA512
  
  dcd27a668cfa7b1692b269d062cce2633290979f958b8f7e2357e73d77b3f384b7b961c3fd6d34923f365180489164a5a76674479716906d0a16727c54cedaad
- SSDEEP
  
  6144:pNah/g+K1oXF83acDxamsw5S+kv4fw0SxUXiqOLC/38Eed2dpq8kOP5s:+lTKycdDxIti9X1OLC/383d2dgMq
Score

1^/10
behavioral13
- Target
  
  XHorionUPDATED/XHorionUPDATED/XHorion/nlahc.dll
- Size
  
  94KB
- MD5
  
  232030613e75729314f0b0f923224434
- SHA1
  
  7c94d621579b3568c306c5e72f8befa770c503c5
- SHA256
  
  51502f1c0d3c2a628399abf6740bece72c94092af91672d4e1c58d732c73db1f
- SHA512
  
  e77c00c1b3d6a37e9c65f4da79b3c41693edfeff87b4e88719d7635d0c0ab3116446ed7858e728a9ec9633ee762f858edfecf049385255732e3fef15ccdb3644
- SSDEEP
  
  1536:dZwWnLyb0gs2nXIOoxS+eo6Wc9JfJ+BkCmdZb9aAw+i/JVpB2cuP5Yb9dH1ayB6:bwOUqIXIOaSao9J4khZJbw+uVHuP5YTY
Score

1^/10
behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Detect Xworm Payload

Xworm

Xworm family

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14